Saturday, 16 July 2016

Getting a network trace from a single application

I recently wanted a way to get a network packet trace from a specific application. My googling showed me an old askubuntu thread that solved this by using Linux network namespaces.

You create a new network namespace, that will be isolated from your regular network, you use a virtual network interface and iptables to make the traffic from it reach your regular network. Then you start an application and wireshark in that namespace and then you have a trace of that application.

I took that idea and made it into a small program, hosted on github, nsntrace.

I do not think the approach taken here is really suitable for a library. It is pretty invasive. We create a namespace and manipulate the network inside, and then launch and application inside. It is not, as far as I know, possible to move application to different network namespaces on the fly.

For what you describe above we would need a situation where all apps are started in a namespace of their own. It would take a more systematic approach which is possible when you control the system more directly as with Android.

Hi! It would be nice to have an ability to redirect traffic to (for example) socks5 on a per-process level also. Now I use tsocks (http://tsocks.sourceforge.net/) to achive this, it works, but it's clumsy - I need to create .conf file for each proxy I want to redirect traffic to.